Port Mirroring question (iptables -tee)

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.


New Around Here
I have been doing hard testing on port mirroring wit iptables -tee. My starting point has been the related topics in this forum (thanks!). My intention is to capture (mirror) all traffic from one host (RPi to internet to a testing box (ubuntu

Usually this is done with iptables -tee command affecting the 'mangle' table for PREROUTING and POSTROUTING chains, to clone incoming and outgoing packets.
iptables -t mangle -A PREROUTING -j TEE --gateway
iptables -t mangle -A POSTROUTING -j TEE --gateway

In my testing, I have discovered that the iptables rules must be set carefully, in order to avoid duplicating packets (if we don't specify source/destination ip's, the packets from LAN to internet will be cloned by both PRE and POSTROUTING rules, and since both have the same source ip ( in my test) there are DUP packets in capture (the answers in this forum are correct, because they specify src ip address in PRE- rule and dst ip in POST- rule, so, no DUP's).

My problem is that, when performing the capture in the gateway box, only the initial 3-way handshake TCP connection is captured. Later, I have learnt that this is because conntrack is in action.

I have tested doing the capture in mangle and raw tables in PREROUTING, but the behavior is the same. I had expected, that clonning the packets at raw table of prerouting, all traffic would be cloned, but is not.

My question is: Is this behavior what is being expected?, that is, Conntrack takes precedence over iptables, and once a conntrack is saved, no traffic transverses iptables? If so, how can clone all traffic to the testing box?

I attach a image capture from the testing box of a web request from the RPi to a web page, with the following iptables rules, note that all traffic is SYN /ACK (also traffic to google is captured, due to using Chromium, but it is also SYN /ACK)
iptables -t raw -A PREROUTING -s -j TEE --gateway
iptables -t raw -A PREROUTING -s -j TEE --gateway

1st contrack or raw??
2nd contrack or raw??
3rd mangle
4th nat



Part of the Furniture
Disable hardware acceleration and you should see the packets. If you still have problems I suggest you try using these commands with the Wireshark filter set to ip.addr ==
modprobe xt_TEE
iptables -t mangle -A PREROUTING  -s -j TEE --gateway
iptables -t mangle -A POSTROUTING -d -j TEE --gateway


New Around Here
Thank you so much!!!!

Disabling hardware acceleration (NAT acceleration - CTF) did the trick!!. All packets are cloned and captured by wireshark.

I should have read something about HW acceleration, now, that I have done, everything is clear. Thank you very much for your help and support.

I attach the capture with exactly the same test that I made in my previous post (I have hidden my public ip, since I am capturing the webserver responses at prerrouting level)


Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!